[Owasp-topten] Top ten 2017 RC

Dave Wichers dave.wichers at owasp.org
Thu May 4 19:22:51 UTC 2017

A10 intentionally overlaps all of A1-A9, not just A7. The goal of A10 is to
raise awareness that the proliferation of APIs need to be secure, just like
the rest of the web application.

Attack Detection & Response are indeed 2 aspects of providing Attack
Protection. But we also feel that Attack Prevention (for example the old
school three failed logins and your account is locked mechanism) or a 'new
school?' if you submit a request that includes a menu choice not offered to
you (several times??) we are going to lock your account (or log you out),
is important too. You could certainly consider these 'responses' and so
that would fit within your proposed title.

But what if an app detects a set of attacks, and then deploys some kind of
temporary defense to prevent that type of attack. Is that considered a
'response' too?  Or if the developer identifies a flaw based on monitoring
attacks and quickly deploys a fix. Is that a 'response'?  I don't think
most people would think so.

That's why we are proposing the broader title 'Insufficient Attack
Protection'. Others have tried to add clarity to this title as well, but
have frequently ended up with a much longer title, which is problematic in
a different way.

I'm all for a better, more clear, more obvious to more people what we mean
title. But I think the title you have proposed does not cover everything we
intend for this new category to cover.

Any other suggested titles? I'd definitely love to come up with a better
one, because it apparently is confusing to some people. But I haven't been
able to think of one.

Thanks for your suggestions and keep em coming.


On Thu, May 4, 2017 at 12:40 PM, Joseph Mulhall <josephmulhall at icloud.com>

> On first glance, there is some overlap between A7 Insufficient Attack
> Protection and A10 Underprotected APIs which may confuse readers.  In an
> app sec conversation, 'protecting APIs' and 'protecting from attacks' mean
> similar things.
> In a number of common frameworks the distinction between
> prevention/protection, detection/response is made and understood throughout
> the industry - in short A10 deals with prevention/protection, A7 deals with
> detection and response.
> I would humbly suggest that A7 is renamed Insufficient Detection &
> Response for clarity of message.
> For both categories I welcome the architectural elements this brings into
> the OWASP top ten, which has been notably missing previously.
> Regards
> Joseph Mulhall
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170504/9420d2db/attachment.html>

More information about the Owasp-topten mailing list